E-Business Tenth Edition

Similar presentations

2 Learning Objectives In this chapter, you will learn:What security risks arise in online business and how to manage themHow to create a security policyHow to implement security on Web client computersHow to implement security in the communication channels between computers222

16 Establishing a Security Policy (cont’d.)Security policy pointsAuthentication: Who is trying to access site?Access control: Who is allowed to log on to and access site?Secrecy: Who is permitted to view selected information?Data integrity: Who is allowed to change data?Audit: Who or what causes specific events to occur, and when?

17 Security for Client ComputersMust be protected from threatsThreatsOriginate in software and downloaded dataMalevolent server site masquerades as legitimate Web siteChapter topics organized to follow the transaction-processing flowBeginning with consumerEnding with Web server at electronic commerce site

22 Cookies and Web Bugs (cont’d.)Tiny graphic that third-party Web site places on another site’s Web pagePurposeProvide a way for a third-party site to place cookie on visitor’s computerInternet advertising community:Calls Web bugs “clear GIFs” or “1-by-1 GIFs”Graphics created in GIF formatColor value of “transparent,” small as 1 pixel by 1 pixel

29 Java Applets (cont’d.) Java sandboxConfines Java applet actions to set of rules defined by security modelRules apply to all untrusted Java appletsNot established as secureJava applets running within sandbox constraintDoes not allow full client system accessPrevents secrecy (disclosure) and integrity (deletion or modification) violations

30 JavaScript JavaScript Scripting language developed by NetscapeEnables Web page designers to build active contentBased loosely on Sun’s Java programming languageCan be used for attacksCannot commence execution on its ownUser must start ill-intentioned JavaScript program

31 ActiveX Controls ActiveX control Component constructionObjects containing programs and properties Web designers place on Web pagesComponent constructionMany different programming languagesCommon: C++ and Visual BasicRun on Windows operating systems computersExecuted on client computer like any other program

52 Steganography Steganography Can be used for malicious purposesHiding information within another piece of informationCan be used for malicious purposesHiding encrypted file within another fileCasual observer cannot detect anything of importance in container fileTwo-step processEncrypting file protects it from being readSteganography makes it invisibleAl Qaeda used steganography to hide attack orders

55 Communication Channel SecurityInternetNot designed to be secureDesigned to provide redundancyRemains unchanged from original insecure stateMessage traveling on the InternetSubject to secrecy, integrity, and necessity threats

59 Integrity Threats Also known as active wiretappingUnauthorized party alters message information streamIntegrity violation exampleCybervandalismElectronic defacing of Web siteMasquerading (spoofing)Pretending to be someone elseFake Web site representing itself as original

63 Threats to the Physical Security of Internet Communications ChannelsInternet’s packet-based network design:Precludes it from being shut downBy attack on single communications linkIndividual user’s Internet service can be interruptedDestruction of user’s Internet linkLarger companies, organizationsUse more than one link to main Internet backbone

72 Encryption Solutions (cont’d.)Symmetric encryption (private-key encryption)Encodes message with one of several available algorithmsSingle numeric key to encode and decode dataMessage receiver must know the keyVery fast and efficient encoding and decodingKey must be guarded

73 Encryption Solutions (cont’d.)ProblemsDifficult to distribute new keys to authorized parties while maintaining security, control over keysPrivate keys do not work well in large environmentsData Encryption Standard (DES)Encryption algorithms adopted by U.S. governmentMost widely used private-key encryption systemFast computers break messages encoded with smaller keys

97 Access Control and Authentication (cont’d.)Usernames and passwordsProvide some protection elementMaintain usernames in plain textEncrypt passwords with one-way encryption algorithmProblemSite visitor may save username and password as a cookieMight be stored in plain textAccess control list (ACL)Restrict file access to selected users

98 Firewalls Firewall Placed at Internet entry point of networkSoftware, hardware-software combinationInstalled in a network to control packet trafficPlaced at Internet entry point of networkDefense between network and the InternetBetween network and any other networkPrinciplesAll traffic must pass through itOnly authorized traffic allowed to passImmune to penetration

100 Firewalls (cont’d.) Should be stripped of unnecessary softwarePacket-filter firewallsExamine all data flowing back and forth between trusted network (within firewall) and the InternetGateway serversFilter traffic based on requested applicationLimit access to specific applicationsTelnet, FTP, HTTPProxy server firewallsCommunicate with the Internet on private network’s behalf